SOLVED: [Samba] Authentication problem with samba 3.3.4 on AIX 5.3:

Arendt, Volker Arendt at wiwi.uni-wuppertal.de
Tue Jun 9 18:30:05 GMT 2009 

Hi David,

Thats it! Thanks a lot!!!

Volker

-----Ursprüngliche Nachricht-----
Von: David Markey [mailto:dmarkey at dodds.dmarkey.com]
Gesendet: Di 09.06.2009 20:13
An: William Jojo
Cc: Arendt, Volker; samba at lists.samba.org
Betreff: Re: [Samba] Authentication problem with samba 3.3.4 on AIX 5.3
 
AIX doesnt have a pam.conf. it uses LAM.

change
obey pam restrictions = yes
to
obey pam restrictions = no




William Jojo wrote:
> Arendt, Volker wrote:
>> Hello all,
>>
>> we currently do have a problem with samba 3.3.4 on AIX 5.3.
>> We have set up the samba system to integrate in our AD Domain.
>> Integration was successfull (net ads join), wbinfo executes with
>> parameters
>> -ugt without any problems. Our smb.conf content follows at the end of
>> this mail.
>>
>> We have defined just one share as follows:
>> [smbtest]
>> writeable = yes
>> path = /gpfs/fbb/ls/cip
>> valid users =
>> When we connect from a Windows XP System we get the following error
>> message:
>> ---
>> C:\Programme\Support Tools>net use p: \\frigg\smbtest
>> Systemfehler 2239 aufgetreten.
>>
>> Dieses Benutzerkonto ist abgelaufen.
>> ---
>> translated: user account has expired
>>
>> In the system log file we get:
>>
---------------------------------------------------------------------------
>>
>> ------
>> [2009/06/09 17:21:16, 10] smbd/sesssetup.c:reply_spnego_kerberos(402)
>>   Mapped to [FB6] (using PAC)
>> [2009/06/09 17:21:16,  5] lib/username.c:Get_Pwnam_alloc(133)
>>   Finding user FB6+AdmMJ
>> [2009/06/09 17:21:16,  5] lib/username.c:Get_Pwnam_internals(77)
>>   Trying _Get_Pwnam(), username as lowercase is fb6+admmj
>> [2009/06/09 17:21:16,  5] lib/username.c:Get_Pwnam_internals(110)
>>   Get_Pwnam_internals did find user [FB6+AdmMJ]!
>> [2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_start(472)
>>   smb_pam_start: PAM: Init user: admmj
>> [2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_start(489)
>>   smb_pam_start: PAM: setting rhost to: 132.195.123.104
>> [2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_start(498)
>>   smb_pam_start: PAM: setting tty
>> [2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_start(506)
>>   smb_pam_start: PAM: Init passed for user: admmj
>> [2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_account(564)
>>   smb_pam_account: PAM: Account Management for User: admmj
>> [2009/06/09 17:21:16,  2] auth/pampass.c:smb_pam_account(571)
>>   smb_pam_account: PAM: User admmj no longer permitted to access system
>> [2009/06/09 17:21:16,  2] auth/pampass.c:smb_pam_error_handler(77)
>>   smb_pam_error_handler: PAM: Account Check Failed : User account has
>> expired
>> [2009/06/09 17:21:16,  0] auth/pampass.c:smb_pam_accountcheck(794)
>>   smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
>> admmj!
>> [2009/06/09 17:21:16,  4] auth/pampass.c:smb_pam_end(450)
>>   smb_pam_end: PAM: PAM_END OK.
>>
---------------------------------------------------------------------------
>>
>> ------
>>   
>
> Hey, Volker. It's been awhile. Couple of questions:
>
> 1) What does /etc/pam.conf look like and
>
> 2) What does /opt/pware/lib/fbb-projekte.conf look like?
>
>
> Glad to see you are still using the pWare stuff. :-) :-) How is your
> cluster testing going? I need to contact Miguel again to see how he is
> making out.
>
> Cheers,
> Bill
>
>> An error log, debug level 10 is available on request.
>>
>> Kind regards
>>
>> Volker
>>
>>
>> SMB.CONF
>>
---------------------------------------------------------------------------
>>
>> ---
>> [global]
>>
>> # --------------------------------------------------------
>> # setting base configuration parameters
>> #
>> # --------------------------------------------------------
>> workgroup = FB6
>> netbios name = FRIGG
>> server string = AFS-2
>> security = ADS
>> realm = FB6.UNI-WUPPERTAL.DE
>> auth methods = winbind
>> # password server = AD logon server
>> password server = 132.195.120.9 132.195.120.12
>> wins server = 132.195.120.12
>> client use spnego = yes
>> client signing = yes
>> # added wg. ticket #5344
>> #client lanman auth = no
>> #client ntlmv2 auth = yes
>> encrypt passwords = yes
>> host msdfs = no
>> #domain logons = yes
>>
>> # fuer Samba 3.3.0
>> # damit keine verschluesselte Verbindung zum Domain Controller
>> # aufgebaut wird
>> ldap ssl = no
>>
>> # ---------------------------------------------------------
>> # printer settings
>> # ??? better disable these settings ???
>> # ---------------------------------------------------------
>> # printcap name = cups
>> # disable spoolss = Yes
>> # show add printer wizard = No
>>
>> # ---------------------------------------------------------
>> # ID mapping parameters
>> # mapping windows users to unix users
>> # this is performed on the basis of sid on windows and
>> # unix with uid for users and gid for groups
>> # the backend parameter rid allows to get the same mapping
>> # form sid to uid because it is determined algorithmically
>> # that way we get the same mapping even if we use samba on
>> # several disparate systems
>> # CHANGE NOTIFICATIO: with v3.3.0 there are changes
>> # to idmap; idmap domains is no longer supported
>> # ---------------------------------------------------------
>> #idmap domains = FB6
>> #idmap backend = rid
>> idmap backend = tdb
>> idmap config FB6:backend   = rid
>> #idmap config FB6:base_rid  = 0
>> idmap config FB6:range     = 10000 - 49999
>> idmap uid = 10000-49999
>> idmap gid = 10000-49999
>>
>> winbind separator =+
>> winbind use default domain = Yes
>> winbind enum users = no
>> winbind enum groups = no
>> winbind cache time = 60
>> winbind gid = 10000-49999
>> winbind uid = 10000-49999
>>
>> template homedir = /gpfs/fbb/user/%U
>> template shell = /opt/pware/bin/bash
>> #use sendfile = Yes
>> #printing = cups
>> #ldap suffix = "dc=FB6, dc=UNI-WUPPERTAL, dc=DE"
>>
>> #-------------------------------------------------------
>> # Logging options
>> #
>> #-------------------------------------------------------
>> #
>> # higher log levels have a negative impact on performance
>> log level = 10
>> log file = /opt/pware/var/log/samba.log.%m
>> max log size = 5000000
>> debug timestamp = yes
>> obey pam restrictions = yes
>> #utmp = yes
>>
>> #-------------------------------------------------------
>> # ACL Support
>> #
>> #-------------------------------------------------------
>> map acl inherit = yes
>> nt acl support = yes
>> inherit acls = yes
>> inherit permissions = yes
>> inherit owner = yes
>> admin users = @"FB6+domain admins"
>>
>> #-------------------------------------------------------
>> # Performance options
>> #
>> #-------------------------------------------------------
>> socket options = TCP_NODELAY IPTOS_LOWDELAY
>> include = /opt/pware/lib/fbb-projekte.conf
>>   
>

More information about the samba mailing list